It doesn't get much scarier than this. Bluebox Security claimed to have discovered a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into Trojan malware. Google has told ZDNet that the hole has been patched and that it has been released to original equipment manufacturers (OEM)s.
Bluebox Security CTO Jeff Forristal had said that this Master Key vulnerability has been "around at least since the release of Android 1.6, [and] could affect any Android phone released in the last four years — or nearly 900 million devices."
This security vulnerability is in how Android applications are verified and installed. Each application has a cryptographic signature, to ensure that the contents of an application have not been tampered with. The security hole, however, enables attackers to change the contents of an application while leaving the signature intact.
Gina Scigliano, Google's Android Communications Manager, said that while Google didn't have a statement, she could "confirm that a patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to the Android devices."
Thus, Android users will, as they always have, need to reply upon their hardware vendors for this update.
They may not need to worry too much. Scigliano added, "We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play."